Clubhouse security called into question
While Clubhouse’s popularity continues to increase, its time in the spotlight has put the platform under scrutiny. In part two of Clubhouse for accountants, Nick Levine investigates recent concerns surrounding the private social media app.
As of February, the Clubhouse app had been downloaded 10 million times, so it was unsurprising when the platform’s security began suffering under the spotlight over the last few weeks.
As the app is only available on iOS, third-party developers have reverse-engineered Clubhouse to create unofficial versions on Android and Windows to allow non-iPhone users to listen in on Clubhouse room conversations.
The ease at which these apps have been able to access and reuse Clubhouse’s original code, and then broadcast content from the code, has raised alarm bells over its security. This has also raised more comprehensive questions about its use of data from users and GDPR compliance.
App clones and audio leakage
The plethora of unofficial apps (such a Hipster House and Open Clubhouse) which play back audio from the original platform were created to cater to the demands of individuals who want to consume Clubhouse content but are unable to do so, either due to not being iPhone users or due to the restrictions on room capacity.
Clubhouse rooms are limited to 5,000 participants, and virtual supply easily outstripped demand when Elon Musk hosted a conversation with Vlad Tened, CEO of commission-free investing app Robinhood in January.
Alongside the use of unofficial apps, Clubhouse conversations were streamed live on YouTube a clear breach of Clubhouse’s terms. The publicity created more demand for the platform, highlighting issues relating to its data usage and security.
While Clubhouse insists that “recording or streaming without the explicit permission of speakers is against the Clubhouse terms of service,” new unofficial apps are still popping up all the time.
The audio leakage is made possible by a security flaw in Clubhouse’s backend, caused by users being able to use Agora’s (real-time voice engagement software which powers the app) API to stream audio without using the Clubhouse app.
Additionally, Agora is based in Shanghai and the USA, and the Stanford Cyber Policy Center believes that the company “would likely have access to users’ raw audio, potentially providing access to the Chinese government.”
Given that Clubhouse is banned in China, it is possible that the state would want to monitor conversations from their citizens. However, Stanford researchers also point out that the Chinese authorities would most likely only access temporarily recorded Clubhouse conversations (for legitimate reasons related to terrorism or hate crime) if the audio is stored in the US.
Data security and privacy
Alongside data leakage, there are also worries over Clubhouse’s security, particularly with regards to GDPR. This consists of the app's underlying design, alongside a failure not to comply with basic security protocols.
Unlike most other social media platforms, users are not required to confirm their age or true identity when first signing up to the app. Users are also actively encouraged to share their contacts to invite them to join as there is no other way of doing so. This creates the risk of accidentally inviting an ex-partner or former client if their details are stored on users phones. The latter would be particularly embarrassing if the relationship with the former associate did not end amicably.
Clubhouse has responded to news stories about audio leaks by permanently banning offending users and installing new safeguards to try and prevent this from happening again. They have also recently hired an Android developer to create an app for Google’s mobile operating system.
However, as the app’s privacy and security fail on several counts, it is unlikely that these issues will soon be resolved.
ICAEW’s Tech Faculty technical manager Kirstin Gillon believes users should use Clubhouse cautiously to ensure sensitive data is not misappropriated. “We should always be mindful of what we share on social media, especially apps that are public or semi-public,” commented Gillon.
“Cybercriminals often make use of such data to hone phishing or social engineering attacks, so there are risks about sharing even innocuous information.”
Gillon also believes a particular challenge for Clubhouse is its spike in popularity has come very early in its lifecycle. As a result, she thinks it may not have “mature controls and data policies that you would expect to see in a more established company.”
She advises early adopters to read the platform’s terms and conditions carefully and be cautious about requests relating to personal data collection.
You might also be interested in
Nick Levine is a chartered accountant and journalist, with a particular interest in fintech. He was formerly the Advisory Lead at Deloitte’s Propel and the Head of Enterprise for ICAEW. His writing portfolio includes The Times, Wired and Real Business.